Logging attack context data

ABSTRACT

Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received by a firewall device from a network administrator. The configuration information includes a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity. Multiple packets are received by the firewall device. The firewall device applies an attack detection algorithm, including one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies, to the received packets. Responsive to the firewall device determining that a trigger packet is associated with a potential threat or potential undesired activity, the firewall device causes information regarding N packets of the received packets, inclusive of the trigger packet, to be stored in a log.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/950,252, filed Jul. 24, 2013, which is hereby incorporated byreference in its entirety for all purposes.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright© 2013, Fortinet, Inc.

BACKGROUND

1. Field

Embodiments of the present invention generally relate to the field ofcomputer networks. In particular, various embodiments relate to methodsand systems for logging data to facilitate capturing and understandingof the context of an attack.

2. Description of the Related Art

Networked computers represent significant targets of opportunity forboth recreational and malicious hackers, viruses, worms, scriptedattacks, etc. Hacks and hackers have different levels of sophisticationand gain access in cases of successful hacks to a computer through itsnetwork interface when the interface is coupled to the Internet.Computers supporting Internet Protocol (IP) and other IP network nodesare identified by their IP address, wherein each network interface cansupport up to several thousand ports. To help manage security of a givennetwork interface, a firewall may be employed for processing dataarriving at individual ports. Some ports, such as ports commonly usedfor HTTP protocol support, may be assigned or opened to allow traffic topass through to a corresponding service, for example, running on a webserver, which is configured to manage HTTP traffic. The firewall mayclose all other ports to restrict outside traffic from gaining access tothe network.

A computer network typically includes a collection of interconnectedcomputing devices that exchange data and share resources. Such devicesmay include, for example, web servers, database servers, and fileservers, routers, printers, end-user computers and other devices. Such avariety of devices may execute a myriad of different services andcommunication protocols, wherein each such service or communicationprotocol can expose the network to different security attacks.

Firewalls and intrusion detection systems are devices that are used toprotect a computer network from unauthorized or disruptive users. Afirewall can be used to secure a local area network (LAN) from usersoutside the network by checking, routing, and frequently labelingmessages sent to or from users outside the network. An intrusiondetection system (IDS) can be used to recognize suspicious patterns ofbehavior in a communication system, wherein examples of intrusiondetection systems can include network intrusion detection system (NIDS)and a host intrusion detection system (HIDS). A NIDS can be used toexamine information being communicated within a network to recognizesuspicious patterns of behavior, wherein HIDS can be used to examineinformation being communicated through a particular host computer withina network to recognize suspicious patterns of behavior. Informationobtained by an IDS can be used to block unauthorized or disruptive usersfrom accessing the network.

With the development of network technologies and applications, networkattacks are greatly increasing both in number and severity. Being a keytechnique in network security domain, Intrusion Prevention Systems(IPSs) play a vital role of detecting various kinds of attacks andsecuring the networks from such detected attacks. Another purpose of anIPS is to log evidence of intrusions within normal audit data. IPS is aneffective security technology, which can detect, prevent and possiblyreact to an attack, wherein the IPS performs monitoring of activities bytarget sources and employs various techniques for providing securityservices. An IPS may also gather evidence of an attacker's activity,remove the attacker's access to the network and reconfigure the networkto resist the attacker's penetration technique and/or subsequent networkaccess by the attacker.

Generally, firewalls, intrusion detection systems, or specific packetanalyzers create log records across one or more sessions(source-destination interactions) that record information regardingpackets associated with such sessions, wherein the log records caninclude details of requested or sent packets such as source IP,destination IP, timestamp, destination port and other details. Analysisof such packets, at run time, can help intrusion detection systems orother such tools in assessing whether the packet is an attack packet. Toassist with post attack analysis, some existing intrusion detectionsystems log one or more packets once an intrusion is detected; however,merely logging one or more packets received after the attack has beendetected is not typically sufficient to aid those performing post-attackanalysis in understanding the complete context of the attack.

SUMMARY

Methods and systems are described for improved attack context datalogging. According to one embodiment, configuration information isreceived by a firewall device from a network administrator. Theconfiguration information includes a number (N) of packets to capture bythe firewall device responsive to an event detected by the firewalldevice that is potentially indicative of a threat or undesired activity.Multiple packets are received by the firewall device. The firewalldevice applies at least one attack detection algorithm to the receivedpackets. The attack detection algorithm includes one or more of a set ofintrusion detection signatures, a set of malware detection signaturesand a set of security policies. Responsive to the firewall devicedetermining that a trigger packet is associated with a potential threator potential undesired activity, the firewall device causes informationregarding N packets of the received packets, inclusive of the triggerpacket, to be stored in a log.

Other features of embodiments of the present disclosure will be apparentfrom accompanying drawings and from detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

In the Figures, similar components and/or features may have the samereference label. Further, various components of the same type may bedistinguished by following the reference label with a second label thatdistinguishes among the similar components. If only the first referencelabel is used in the specification, the description is applicable to anyone of the similar components having the same first reference labelirrespective of the second reference label.

FIG. 1 illustrates an exemplary architecture of a network intrusiondetection system in accordance with an embodiment of the presentinvention.

FIG. 2 illustrates exemplary modules of a network intrusion detectionsystem in accordance with an embodiment of the present invention.

FIG. 3 illustrates ingression and egression of traffic packets into anetwork appliance in accordance with an embodiment of the presentinvention.

FIG. 4 illustrates an exemplary network appliance sending a log to alogging system in accordance with an embodiment of the presentinvention.

FIG. 5 is a flow diagram illustrating logging of attack context data inaccordance with an embodiment of the present invention.

FIG. 6 is an exemplary computer system in which or with whichembodiments of the present invention may be utilized.

DETAILED DESCRIPTION

Embodiments of the present invention generally relate to methods andsystems provided for preventing attacks in a network by logging packetsbefore and/or after detection of an attack, which may facilitateunderstanding of the context of the attack and allow preemptive actionto be taken. In one aspect, the system of the present invention may beconfigured to store a predetermined or configurable quantity (e.g.,defined in terms of a specific number of packets or defined in terms ofa timeframe) of packets across one or more sessions in a buffer suchthat once an attack packet is detected, packets present in the buffercan be retrieved and analyzed along with the packet that triggered thedetection and/or a predetermined or configurable quantity of packetsreceived after detection of the attack packets so as to understand thecontext of the attack.

In the following description, numerous specific details are set forth inorder to provide a thorough understanding of embodiments of the presentinvention. It will be apparent to one skilled in the art thatembodiments of the present invention may be practiced without some ofthese specific details.

Embodiments of the present invention include various steps, which willbe described below. The steps may be performed by hardware components ormay be embodied in machine-executable instructions, which may be used tocause a general-purpose or special-purpose processor programmed with theinstructions to perform the steps. Alternatively, steps may be performedby a combination of hardware, software, firmware and/or by humanoperators.

Embodiments of the present invention may be provided as a computerprogram product, which may include a machine-readable storage mediumtangibly embodying thereon instructions, which may be used to program acomputer (or other electronic devices) to perform a process. Themachine-readable medium may include, but is not limited to, fixed (hard)drives, magnetic tape, floppy diskettes, optical disks, compact discread-only memories (CD-ROMs), and magneto-optical disks, semiconductormemories, such as ROMs, PROMs, random access memories (RAMs),programmable read-only memories (PROMs), erasable PROMs (EPROMs),electrically erasable PROMs (EEPROMs), flash memory, magnetic or opticalcards, or other type of media/machine-readable medium suitable forstoring electronic instructions (e.g., computer programming code, suchas software or firmware).

Various methods described herein may be practiced by combining one ormore machine-readable storage media containing the code according to thepresent invention with appropriate standard computer hardware to executethe code contained therein. An apparatus for practicing variousembodiments of the present invention may involve one or more computers(or one or more processors within a single computer) and storage systemscontaining or having network access to computer program(s) coded inaccordance with various methods described herein, and the method stepsof the invention could be accomplished by modules, routines,subroutines, or subparts of a computer program product.

If the specification states a component or feature “may”, “can”,“could”, or “might” be included or have a characteristic, thatparticular component or feature is not required to be included or havethe characteristic.

Although the present disclosure has been described with the purpose ofdetecting and preventing network attacks, it should be appreciated thatthe same has been done merely to illustrate the invention in anexemplary manner and any other purpose or function for which theexplained structure or configuration can be used, is covered within thescope of the present disclosure.

Embodiments of present disclosure and their advantages are bestunderstood by reference to FIG. 1. FIG. 1 illustrates an exemplarynetwork architecture 100 conceptually showing a network environment inwhich one or more Intrusion Detection Systems (IDSs), alternatively alsoreferred to as Intrusion Prevention Systems (IPSs), operate. As shown inFIG. 1, network architecture 100 comprises one or more company networks102-1, 102-2, . . . , 102-n, collectively referred to as companynetwork(s) 102 hereinafter. Network architecture 100 further comprises arouter 108 operatively coupled to company network 102-1 and a firewall106 operatively coupled with company network 102-2, wherein the router108 and firewall 106 enable access to Internet 110. In an embodiment,each company network 102 can include one or more computing devices suchas Computers, Laptops, Smart-Devices, Tablet PCs, among other suchdevices that are operatively coupled to each other through a Local AreaNetwork (LAN), wherein the LAN is then operatively coupled with one ormore networking devices such as routers, switches, hubs, gateways, amongother such devices that enable access to Internet 110.

According to one embodiment, a firewall 106 separates the externalcomputing environment, represented by Internet 110 from the internalcomputing environment associated with company network 102. A firewall106 can be coupled with one or more network devices to enable efficientrouting and access to Internet 110. An attacker 112 may attempt toinflict damage upon protected equipment or data/content stored thereinby sending attack packets to computing devices, web servers, among othersuch IT equipment that form part of the network 102 using Internet 110as a means. Such an attacker 112 may use platforms, such as denial ofservice (DoS) attacks, bandwidth attacks, connectivity attacks,distributed denial of service (DDoS) attacks, targeted common gatewayinterface (CGI) attacks, HTTP-based attacks, malicious packets, wormssuch as the W32.SQLExp.Worm, WWW attacks, reconnaissance activity, andso forth, all of which are generically referred to as “networkanomalies” or “attacks” herein for descriptive convenience. Attacker 112may issue such attacks or introduce such network anomalies throughattack or malicious packets using Internet 110. Therefore, it isdesirable to to accurately separate and distinguish among legitimatepackets and attack packets.

According to one embodiment, architecture 100 further comprises IDS104-1 operatively coupled with company network 102-1, and IDS 104-2operatively coupled with company network 102-2, wherein IDS 104 isconfigured to monitor packets flowing into or out of company network 102and accordingly detect the presence of network anomalies by observingmalicious traffic incoming to, or originating from the protected companynetwork 102. Responsive to the output of the IDS 104, the companynetwork 102 can take appropriate measures to handle the packet such aseither to suspend the packet, block the malicious attack packet, orallow the packet. The purpose of IDS 104 therefore is to distinguishamong legitimate packets and those potentially representing part of anattack and provide a mechanism for detection of security violationseither in real time or batch mode, wherein the voilations are initiatedeither by outsiders attempting to break into a system or by insidersattempting to misuse their privileges. Other major functions performedby IDS 104 can include monitoring and analyzing user and systemactivities, assessing the integrity of critical system or data files,recognizing activity patterns reflecting known attacks, respondingautomatically to detected activity, and reporting results of thedetection process in which a log can be created relating to perceivedattack packets to facilitate analysis and prevention of futureintrusions, attacks and/or false positives.

According to one embodiment, IDS 104 is configured to log incoming andoutgoing packets or subset of information contained therein in a bufferof a defined and configurable size, wherein for each packet, if the IDS104 assesses the packet to be legitimate, the packet (or relevantportion(s) thereof) is stored in the buffer (e.g., a circular buffer).IDS 104 can further be configured such that once it determines a packetto be a potential or known attack packet (e.g., a packet that matchesone or more attack detection algorithms implemented by IDS 104), IDS 104retreives a predetermined or configurable number of previously bufferedpackets and prepares a log based on the retrieved packets and thepotential or known attack packets. The IDS may also log a predeterminedor configurable number of packets received after the potential or knownattack packet, thereby capturing context both before and after thepotential or known attack packet. In this manner, a complete attackcontext is sought to be provided to facilitate subsequent analysis. Thiscomplete attack context is thought to assist in understanding thecontext of the attack, which otherwise is not possible by mereassessment of the attack packets alone. In an embodiment, packetsreceived by IDS 104 after detection of a potential or known attackpacket can also be logged into the same or another buffer and usedduring preparation of the log. Assessment of the log can further help indefining and/or implementing signatures (or other attack detectionalgorithms) that can improve the efficiency and efficacy of preventingand detecting network attacks and/or anomalies.

According to an embodiment, the buffer can be a circular buffer, whereinonce the buffer is full, each new packet can replace the oldest packetin the buffer (using first-in-first-out principle). According to anotherembodiment, each new packet can also be configured to replace the leastsignificant packet, such that when one or more attack packets arereceived by the IDS 104, only the most important set of packets (havinghigh information content relative to attack context) are retreived fromthe buffer and used for preparing and analyzing the log. In yet anotherembodiment, instead of logging each packet in a buffer, only packetsthat meet a defined condition/rule, or packets received within a definedtimeframe, or packets intended for a defined set of computing devices,can be logged in a buffer.

It should be appreciated that terms such as blocking packets andsuspending packets are to be interpreted widely as the enforcement of adefensive rule that is defined by the system based on the feedback itreceives from IDS 104. Such feedback can include, for example,discarding, logging, or rate limiting traffic from a particular sourceaddress or set of source addresses; discarding, logging, or ratelimiting traffic to a particular destination address or set ofdestination addresses; discarding, logging, or rate limiting UDP trafficfrom the Internet 110 to a particular subnet or set of subnets;discarding, logging, or rate limiting UDP traffic from the Internet 110to a subnet with a particular UDP destination port or set of UDPdestination ports; and so forth, including various combinations of theforegoing.

It is further to be appreciated that FIG. 1 is merely an exemplaryillustration of a simplified enterprise network architecture.Alternative network architectures, with additional, fewer and/ordifferent network security appliances will also benefit from theteachings described herein. The present illustration therefore merelypresents one instance of how a particular network security appliance(e.g., IDS 104) can be configured within a network 102 to monitor,assess, and define rules for logging ingress and egress packets.

FIG. 2 illustrates exemplary modules of a network intrusion detectionsystem 200 in accordance with an embodiment of the present invention.According to one embodiment, network intrusion detection system 200,alternatively also referred to as network intrusion prevention system200, is implemented in a network appliance and configured to helpdetermine, identify, and understand the context of a network attackalong with detecting/preventing network attacks. In an alternateembodiment, network intrusion prevention system 200 can also beimplemented separate from the network appliance and operatively coupledthereto to implement analysis of incoming/outgoing network packets andtake desired action based on rules/conditions defined therein. Accordingto one embodiment, system 200 of the present invention includes aconfiguration module 202, a buffering module 204, an intrusionprevention module 206 and a logging module 208.

According to one embodiment, configuration module 202 allows a networkadministrator to define and structure the number of packets to be loggedbefore and the number of packets to be logged after an attack has beendetected, wherein an attack is defined as a sequence of one or moreattack/undesired packets. In an instance, configuration module 202 canallow a user to configure “m” packets that are to be logged immediatelybefore a first attack packet is detected and “n” packets that are to belogged immediately after the last attack packet is detected. Accordingto one embodiment, the number of packets to be logged can bepredetermined or can be configured in real-time such that only packetsof interest are logged instead of all packets. According to anotherembodiment, configuration module 202 can also be configured to logpredetermined or configurable timeframe of packets both before and afterdetection of an attack packet such that only packets received during adefined timeframe are logged. Similarly, the number and kind of packetsto be logged can be defined by the configuration module 202 to enableefficient and desired logging.

According to another embodiment, configuration module 202 is operativelycoupled to one or more databases. In an exemplary embodiment, a databasecan be configured to store one or more signatures that use differenttechniques to detect attack packets. New and modified signatures (basedon analysis of context data relating to prior attacks) can also bestored in the database. Databases can also be operatively coupled withother functional modules for efficient storage of data/content such aslog files, as will be explained in the description hereinafter.According to another embodiment, an attack anomaly database can also beincorporated within system 200 and configured to be coupled andcontrolled by configuration module 202 such that the anomaly databasestores data corresponding to attack packets in the form of, say a tablesuch as a hash table. Anomaly database can be scanned to studydeviations from normal behavior indicating potential attack packets,which can then be applied to reduce false-positive alerts consists inusing contextual information on the infrastructure (e.g. networktopology, known existing attacks) to determine if the attack has somechances to be successful and figures a real intrusion possibility.

According to an embodiment, configuration module 202 can also beconfigured to determine the duration for which the packets are to belogged. Furthermore, configuration module 202 can also be designed toidentify the maximum number of bytes that are to be logged. Similarly,many other settings can be made by the module 202 to help system 200analyze the context of a network attack and define signatures to preventfuture network attacks.

It should be appreciated that the above disclosure merely mentionsexemplary illustrations of the data/content that one or more databasescan store, and that any other information can always be configured to bestored in the one or more databases and all such variations arecompletely within the scope of the present invention. According to oneembodiment, configuration module 202 can be implemented by means of agraphical user interface that allows a network administrator to definethe characteristics of packets that are to be logged through one or moresettings options that are present on the interface.

According to an embodiment, intrusion prevention module 206 can beoperatively coupled with configuration module 202, buffering module 204,and logging module 208 and is configured to process one or more incomingand outgoing packets to take desired and condition-based actions. In animplementation, intrusion prevention module 206 can be centralized indesign by being installed at a choke point of a network, e.g. at anetwork service provider gateway. Further, module 206 can be operated ina standalone mode with centralized applications, which are physicallyintegrated within a single processing unit or a distributed IPS.According to one embodiment, intrusion prevention module 206 can beconfigured to scan network packets received by a network appliance andsend them to the buffering module 204. In an implementation, module 206can be configured to scan one or more traffic packets based oncharacteristics of such packets and rules defined in the module 206.Based on the scanning a packet may be determined to be an attack packet.

According to one embodiment, buffering module 204 is configured todefine one or more buffers of fixed or configurable size to store one ormore packets as and when received from the intrusion prevention module202. Buffering module 204 can be operatively coupled with configurationmodule 202 such that the number and kind of packets to be logged, asdefined by module 202, are used as the basis to store packets. Accordingto one embodiment, a size of a buffer that is configured to storepackets is no more than the number of packets that are defined by theconfiguration module 202 to be logged, and hence for each new packetthat is received after the defined number of packets have been logged,the oldest logged packet can be overwritten. According to anotherembodiment, buffering module 204 can configure a buffer in real-timesuch that the size of the buffer is the same as the number of packetsthat are defined to be logged by the configuration module 202.

According to one embodiment, one or more buffers defined by thebuffering module 204 are circular buffers such that once the buffer isfull; each new packet replaces the oldest packet in the buffer.According to another embodiment, each packet can be stored along withits priority, which is evaluated by intrusion prevention module 206 suchthat any new packet that arrives when the buffer is full, can replacethe packet having a lowest priority. According to another embodiment,instead of storing the complete packet, only a subset of informationfrom each packet is stored for efficient storage and retrieval of thebuffered packets when an attack is detected.

According to another embodiment, one or more buffers defined bybuffering module 204 can also be configured to store packets that arereceived after the attack is detected. In an implementation, packetsreceived before detection of an attack can be stored in a separatebuffer from the packets received after detection of the attack. In analternate implementation, the predetermined or configurable quantity ofpackets received before detection of the attack can be stored in thesame buffer as the predetermined or configurable quantity of packetsreceived after detection of the attack. It should be appreciated thatthe number and type of packets that are to be buffered after detectionof an attack can be different in context, type, and qualifiers from thepackets that are to be buffered prior to detection of the attack.

In an implementation, once the intrusion prevention module 206 detectsan attack by means of an attack packet, packets stored in one or morebuffers of the buffering module 204 can be sent to logging module 208along with the packet triggering the detection, so as to enable thelogging module 208 to create a log using the attack packet and a set ofpackets received prior to the detection. According to one embodiment,packets logged prior to detection of an attack can be merged withpackets logged after detection of the attack to form a log. Such a logcan have markers or other like differentiators that can help distinguishattack and legitimate packets. Logs created by logging module 208 cansubsequently be sent to a logging system (not shown) to facilitateunderstanding of the context of the network attack. An administrativeuser can therefore use the logging system to understand the behaviorand/or pattern of the attack and can accordingly take measures toimplement and deploy signatures to prevent future attacks\.

It should be appreciated that even though FIG. 2 illustratesimplementation of configuration module 202, buffering module 204,intrusion prevention module 206, and logging module 208 in networkappliance 200, each of these modules can also be implemented partiallywithin the network appliance 200 and partially outside. For instance,configuration module 202 can be implemented on the administrator'scomputing device and buffering module 204 can be implemented within astorage device.

FIG. 3 illustrates ingression and egression of traffic packets into andout of a network appliance 304 in accordance with an embodiment of thepresent invention. As shown in exemplary illustration 300, networkpackets 302 a, 302 b, . . . , 302 i, . . . , 302 j, . . . , 302 zinclude ingression/incoming traffic packets, of which one or more can beattack packets. According to one implementation, network appliance 304comprises intrusion prevention module 306 and logging module 308.Intrusion prevention module 306 can be configured to analyze incomingpackets 302 for whether they are legitimate packets or attack packets.In an implementation, intrusion prevention module 306 is configured toallow buffering of a first set of packets prior to detecting an attackpacket and buffering of a second set of packets once the attackdetection has been triggered, using one or more buffers. For instance,in FIG. 3, packets 302 i-302 j can correspond to attack packets andtherefore intrusion prevention module 306 can be configured to bufferpackets 302 a until the packet prior to 302 i, and further configured tobuffer some subset of packets 302 j- 302 z. It should be appreciatedthat instead of all of the predetermined or configurable quantity ofpackets received prior to or after detection of an attack, a subset ofsuch packets can also be buffered based on conditions defined by theintrusion prevention module 306.

According to an embodiment, logging module 308 is configured to take thepacket triggering the detection and the buffered packets as input andgenerate a log of packets, which when analyzed can facilitateunderstanding of the context of the network attack and help definebetter and/or more efficient signatures. In an instance, as illustratedin FIG. 3, the log of packets can be represented as 310 n . . . 310 m.Such a log can then be sent to a logging system for further analysis ofattack context and stored in a defined memory location.

According to another embodiment, one or more network packets 312 a . . .312 z can be issued and transmitted to intended destination addressesbased on rules/conditions defined by intrusion prevention module 306.Such rules can be defined so as to reduce the number of false-positivesand help deliver all legitimate packets and block attack and/orundesired packets. In an instance, in case all attack packets 302 i-302j are found by the intrusion prevention module 306 to be undesired, onlylegitimate buffered packets are sent to the intended recipients.

FIG. 4 illustrates network appliance 404 sending a log comprising bothattack and legitimate packets to a logging system 408 in accordance withan embodiment of the present invention. As illustrated in FIG. 4,incoming packets 402 are first processed by network appliance 404 todistinguish among legitimate and attack packets and then create a logbased on a combination of one or more legitimate packets and attackpackets such that the created log can then be sent to a logging system408 for analysis of the context of the attack. Acceptable packets fromthe set of incoming packets 402 can be simultaneously or subsequentlyprocessed by network appliance 402 to yield output packets 406, whichcan be sent to intended recipients.

FIG. 5 is a flow diagram 500 illustrating logging of attack context datafor determining context of a network attack by logging one or morenetwork packets before and after an attack is detected. According to oneembodiment of the present invention, method 500 comprises configuring“m” packets to be logged in a first buffer prior to detection of anetwork attack and “n” packets to be logged in a second buffer afterdetection of the network attack, and using such buffered packets alongwith the attack packet(s) to determine the context of the networkattack. It should be appreciated that even though the present method hasbeen described with reference to an instruction prevention module thatis implemented in a network appliance or a separate network intrusiondetection/prevention system, any other appropriate system and device canbe used to implement the steps of the present invention.

At block 510, traffic packets containing one or more legitimate andattack packets are received, wherein the packets are either sent orreceived by an internal network. At block 520, the received packets arescanned by applying one or more attack detection algorithms. In oneembodiment, the attack detection algorithms include one or more of (i) aset of intrusion detection signatures, (ii) a set of malware detectionsignatures and (iii) a set of network security policy rules.

At decision block 530, based on the results of the scanning performed inblock 520 a determination is made regarding whether the packet at issueis an attack packet. At block 540, if the packet at issue is determinedto be a legitimate packet (e.g., one that does not trigger an attackdetection signature), then the packet is copied into a buffer ofdefined/configurable size. According to another embodiment, instead ofbuffering all received packets, a subset of such packets can also belogged into the buffer, wherein the subset can be identified based onone or more of time, content of the packets, information in the headerof the packets, session, among other configuration settings that canhelp determine desired network packets to be buffered. According to yetanother embodiment, the buffer can include one or a combination ofcircular buffer, disk buffer, frame buffer, depth buffer, stencilbuffer, variable length buffer, scale buffer, write buffer, among otherlike buffers.

At block 550, one or more buffered packets are managed based on one ormore of size of buffer, configuration of number and kind of packets tobe buffered, overwriting mechanism, among other buffer managementsettings/configurations.

At block 560, once an attack packet is detected, by the intrusionprevention module, for example, packets stored in the buffer can beretrieved and used along with the attack packet or a group thereof toform a log.

At block 570, a log is generated based on the buffered packets, thepacket that triggered the detection and/or a predetermined orconfigurable quantity of packets received after the detection. Such alog can be generated, say by the logging module of the proposed system,based on settings defined by the module, wherein in an exemplaryembodiment, the log can be generated by simply appending pre-attackdetection legitimate packets, the attack packet and post-attackdetection packets in accordance with their timestamps.

At block 580, the generated log is sent to a logging system, wherein thelogging system analyzes the log to determine the context of the networkattack.

FIG. 6 is an example of a computer system 600 with which embodiments ofthe present disclosure may be utilized. Computer system 600 mayrepresent or form a part of a network device (e.g., firewall 106, IDS104-1 or 104-2 or other network security gateway or appliance), aserver, an administrative console or computer system or a clientworkstation.

Embodiments of the present disclosure include various steps, which havebeen described above. A variety of these steps may be performed byhardware components or may be tangibly embodied on a computer-readablestorage medium in the form of machine-executable instructions, which maybe used to cause a general-purpose or special-purpose processorprogrammed with instructions to perform these steps. Alternatively, thesteps may be performed by a combination of hardware, software, and/orfirmware.

As shown, computer system 600 includes a bus 630, a processor 605,communication port 610, a main memory 615, a removable storage media640, a read only memory 620 and a mass storage 625. A person skilled inthe art will appreciate that computer system 600 may include more thanone processor and communication ports.

Examples of processor 605 include, but are not limited to, an Intel®Xeon® or Itanium® processor(s), or AMD®, Opteron® or Athlon MP®processor(s), Motorola® lines of processors, FortiSOC™ system on a chipprocessors or other future processors. Processor 605 may include variousmodules associated with network appliance 200 as described withreference to FIG. 2. For example, processor 605 may include one or moreof configuration module 202, buffering module 204, intrusion preventionmodule 206 and logging module 208.

Communication port 610 can be any of an RS-232 port for use with a modembased dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabitport using copper or fiber, a serial port, a parallel port, or otherexisting or future ports. Communication port 610 may be chosen dependingon a network, such a Local Area Network (LAN), Wide Area Network (WAN),or any network to which computer system 600 connects.

Memory 615 can be Random Access Memory (RAM), or any other dynamicstorage device commonly known in the art. Read only memory 620 can beany static storage device(s) such as, but not limited to, a ProgrammableRead Only Memory (PROM) chips for storing static information such asstart-up or BIOS instructions for processor 605.

Mass storage 625 may be any current or future mass storage solution,which can be used to store information and/or instructions. Exemplarymass storage solutions include, but are not limited to, ParallelAdvanced Technology Attachment (PATA) or Serial Advanced TechnologyAttachment (SATA) hard disk drives or solid-state drives (internal orexternal, e.g., having Universal Serial Bus (USB) and/or Firewireinterfaces), such as those available from Seagate (e.g., the SeagateBarracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000),one or more optical discs, Redundant Array of Independent Disks (RAID)storage, such as an array of disks (e.g., SATA arrays), available fromvarious vendors including Dot Hill Systems Corp., LaCie, NexsanTechnologies, Inc. and Enhance Technology, Inc.

Bus 630 communicatively couples processor(s) 605 with the other memory,storage and communication blocks. Bus 630 can be, such as a PeripheralComponent Interconnect (PCI)/PCI Extended (PCI-X) bus, Small ComputerSystem Interface (SCSI), USB or the like, for connecting expansioncards, drives and other subsystems as well as other buses, such a frontside bus (FSB), which connects processor 605 to system memory.

Optionally, operator and administrative interfaces, such as a display,keyboard, and a cursor control device, may also be coupled to bus 630 tosupport direct operator interaction with computer system 600. Otheroperator and administrative interfaces can be provided through networkconnections connected through communication port 610.

Removable storage media 640 can be any kind of external hard-drives,floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory(CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read OnlyMemory (DVD-ROM).

Components described above are meant only to exemplify variouspossibilities. In no way should the aforementioned exemplary computersystem limit the scope of the present disclosure.

While embodiments of the present invention have been illustrated anddescribed, it will be clear that the invention is not limited to theseembodiments only. Numerous modifications, changes, variations,substitutions, and equivalents will be apparent to those skilled in theart, without departing from the spirit and scope of the invention, asdescribed in the claims.

What is claimed is:
 1. A method comprising: receiving, by a firewalldevice, configuration information from a network administrator, theconfiguration information including a number (N) of packets to captureby the firewall device responsive to an event detected by the firewalldevice that is potentially indicative of a threat or undesired activity;receiving, by the firewall device, a plurality of packets; applying, bythe firewall device, at least one attack detection algorithm to theplurality of packets, wherein the at least one attack detectionalgorithm comprises one or more of a set of intrusion detectionsignatures, a set of malware detection signatures and a set of securitypolicies; and responsive to determining, by the firewall device, basedon the at least one attack detection algorithm that a trigger packet ofthe plurality of packets is associated with a potential threat orpotential undesired activity, causing information regarding N packets ofthe plurality of packets, inclusive of the trigger packet, to be storedin a log.
 2. The method of claim 1, wherein the information comprisesheaders of the N packets.
 3. The method of claim 1, wherein theinformation comprises entire contents of the N packets.
 4. The method ofclaim 1, further comprising at least temporarily storing the receivedpackets to a circular buffer having a size based at least in part on N.5. The method of claim 1, wherein at least one packet of the N packetswas received by the firewall device prior to the trigger packet.
 6. Themethod of claim 1, wherein the plurality of packets includes packetsassociated with a plurality of sessions.
 7. The method of claim 1,further comprising causing, by the firewall device, a logging system toanalyze the log to determine context of the potential threat or thepotential undesired activity by sending the log to the logging system.8. A non-transitory computer-readable storage medium tangibly embodyinga set of instructions, which when executed by one or more processors ofa firewall device, cause the one or more processors to perform a methodcomprising: receiving configuration information from a networkadministrator, the configuration information including a number (N) ofpackets to capture by the firewall device responsive to an eventdetected by the firewall device that is potentially indicative of athreat or undesired activity; receiving a plurality of packets; applyingat least one attack detection algorithm to the plurality of packets,wherein the at least one attack detection algorithm comprises one ormore of a set of intrusion detection signatures, a set of malwaredetection signatures and a set of security policies; and responsive todetermining based on the at least one attack detection algorithm that atrigger packet of the plurality of packets is associated with apotential threat or potential undesired activity, causing informationregarding N packets of the plurality of packets, inclusive of thetrigger packet, to be stored in a log.
 9. The non-transitorycomputer-readable storage medium of claim 8, wherein the informationcomprises headers of the N packets.
 10. The non-transitorycomputer-readable storage medium of claim 8, wherein the informationcomprises entire contents of the N packets.
 11. The non-transitorycomputer-readable storage medium of claim 8, wherein the method furthercomprises at least temporarily storing the received packets to acircular buffer having a size based at least in part on N.
 12. Thenon-transitory computer-readable storage medium of claim 8, wherein atleast one packet of the N packets was received by the firewall deviceprior to the trigger packet.
 13. The non-transitory computer-readablestorage medium of claim 8, wherein the plurality of packets includespackets associated with a plurality of sessions.
 14. The non-transitorycomputer-readable storage medium of claim 8, wherein the method furthercomprises causing a logging system to analyze the log to determinecontext of the potential threat or the potential undesired activity bysending the log to the logging system.